How to Build a Task Manager API with Django REST Framework: Part 3 - Authentication and Permission

Introduction

Welcome back to our Django REST Framework (DRF) adventure! In Part 1, we set up our Django project, installed DRF, and built the Task model. In Part 2, we implemented API endpoints for CRUD operations, allowing us to create, read, update, and delete tasks.

In Part 3, we’ll add authentication and permissions to our Task Manager API. This will ensure that only authenticated users can access and modify tasks. By the end of this guide, you’ll have a secure API where users can register, log in, and perform operations based on their permissions.

Let’s dive in! 🚀

Table of Contents

• Step 1: Set Up Django Authentication
• Step 2: Add DRF Token Authentication
• Step 3: Build Registration and Login Endpoints
• Step 4: Secure Your Task Endpoints
• Step 5: Test Your Secure API
• Conclusion
• What’s Next?

Step 1: Set Up Django Authentication

Django’s got a built-in authentication system that’s perfect for managing users. Let’s make sure it’s ready to roll.

In taskmanager/settings.py, check that these apps are in INSTALLED_APPS:

 INSTALLED_APPS = [ ... 'django.contrib.auth', # User management 'django.contrib.contenttypes', # Required for auth 'rest_framework', # DRF core 'rest_framework.authtoken', # Token auth support 'tasks', # Our app ] 

Then, run migrations to apply the necessary database changes:

python manage.py migrate 

What’s this doing?

This sets up Django’s user tables (like auth_user) so we can handle logins and permissions. No extra work is needed—Django’s got your back!

Step 2: Add DRF Token Authentication

We’ll use Token Authentication from DRF, where each user gets a unique token to prove who they are. Update taskmanager/settings.py with:

REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.TokenAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', # Only logged-in users allowed ), } 

What’s happening?

• TokenAuthentication: Users send a token with requests to authenticate.
• IsAuthenticated: Locks down all endpoints unless a valid token is provided.

To auto-generate tokens when users sign up, create tasks/signals.py:

from django.conf import settings from django.db.models.signals import post_save from django.dispatch import receiver from rest_framework.authtoken.models import Token from django.contrib.auth.models import User @receiver(post_save, sender=User) def create_auth_token(sender, instance=None, created=False, **kwargs): if created: Token.objects.create(user=instance) 

Then, link it in tasks/apps.py:

from django.apps import AppConfig class TasksConfig(AppConfig): default_auto_field = 'django.db.models.BigAutoField' name = 'tasks' def ready(self): import tasks.signals # Connect the signal 

Step 3: Build Registration and Login Endpoints

Let’s give users a way to join the party (register) and get in (log in).

Create a User Serializer

In tasks/serializers.py, add:

from django.contrib.auth.models import User from rest_framework import serializers class UserSerializer(serializers.ModelSerializer): password = serializers.CharField(write_only=True, required=True) class Meta: model = User fields = ['username', 'password'] def create(self, validated_data): user = User.objects.create_user(**validated_data) # Securely hashes password return user 

Add Registration and Login Views

Update tasks/views.py:

from django.contrib.auth import authenticate from rest_framework.authtoken.models import Token from rest_framework.response import Response from rest_framework.views import APIView from rest_framework import status from rest_framework.permissions import AllowAny from .serializers import UserSerializer class RegisterView(APIView): permission_classes = [AllowAny] # Anyone can register def post(self, request): serializer = UserSerializer(data=request.data) if serializer.is_valid(): user = serializer.save() token, _ = Token.objects.get_or_create(user=user) return Response({'token': token.key}, status=status.HTTP_201_CREATED) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) class LoginView(APIView): permission_classes = [AllowAny] # Anyone can log in def post(self, request): username = request.data.get('username') password = request.data.get('password') user = authenticate(username=username, password=password) if user: token, _ = Token.objects.get_or_create(user=user) return Response({'token': token.key}, status=status.HTTP_200_OK) return Response({'error': 'Invalid Credentials'}, status=status.HTTP_400_BAD_REQUEST) 

Hook Up the URLs

In tasks/urls.py, add these routes:

from django.urls import path from .views import RegisterView, LoginView, TaskListCreateView, TaskDetailView urlpatterns = [ path('register/', RegisterView.as_view(), name='register'), path('login/', LoginView.as_view(), name='login'), path('tasks/', TaskListCreateView.as_view(), name='task-list-create'), path('tasks/<int:pk>/', TaskDetailView.as_view(), name='task-detail'), ] 

What’s this doing?

• Register: Creates a user and returns a token.
• Login: Checks credentials and hands out a token if they match.

Step 4: Secure Your Task Endpoints

Modify your TaskListCreateView and TaskDetailView to restrict access to authenticated users only.

Update tasks/views.py:

from rest_framework import generics from rest_framework.permissions import IsAuthenticated from .models import Task from .serializers import TaskSerializer class TaskListCreateView(generics.ListCreateAPIView): queryset = Task.objects.all() serializer_class = TaskSerializer permission_classes = [IsAuthenticated] class TaskDetailView(generics.RetrieveUpdateDestroyAPIView): queryset = Task.objects.all() serializer_class = TaskSerializer permission_classes = [IsAuthenticated] 

Why this matters:

The IsAuthenticated permission ensures users must send a valid token with every request—keeping your API safe from prying eyes.

Step 5: Test Your Secure API

Start your server:

python manage.py runserver 

We’ll use Postman to test. If you haven't already, download it from postman.com. It’s a free, user-friendly tool for API testing.

• Open Postman and create a new request.
• Set the method to POST and the URL to http://127.0.0.1:8000/api/register/.
• Go to the Body tab, select raw, and choose JSON from the dropdown.

Register a User

{ "username" : "kihuni", "password" : 1234 } 

Copy the token!

Log In a User

• Create a new request.
• Set method to POST and URL to http://127.0.0.1:8000/api/login/.
• In the Body tab, use raw JSON:

{ "username" : "kihuni", "password" : 1234 } 

Click Send. Expect the same token:

Add a Task

• New request: POST to http://127.0.0.1:8000/api/tasks/.

• In Headers, add:
  Key: Authorization
  Value: Token c80425f150f99e72553d43cfac2aaa113491de5d(use your token)

• In Body (raw JSON):
  

{ "title": "Myblog", "description": "My first task", "completed": false } 

Send it! You’ll see the task with an ID and timestamp.

Access Tasks

New request: Method GET, URL http://127.0.0.1:8000/api/tasks/.

• Headers tab:add:
  Key: Authorization
  Value: Token c80425f150f99e72553d43cfac2aaa113491de5d(use your token)

• Click Send.

• Expected: 200 OK, or your task list.

Conclusion

You’ve successfully added authentication and secured your Task Manager API. Now, only registered and authenticated users can access the API.

Summary Checklist

• ✅Set up Django’s auth and Task model migrations
• ✅Added DRF Token Authentication
• ✅Built open registration/login endpoints
• ✅Secured task endpoints
• ✅Tested with Postman

What’s Next?

In Part 4, we’ll explore how to add user-specific tasks so that each user can only manage their tasks. Stay tuned🚀